from the im-in-ur-internet-stealing-ur-files dept

Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept.

Behind the malware -- which disguised itself as Microsoft drivers and was served via malicious, fake LinkedIn pages -- lies a cooperative effort between the NSA and GCHQ. Belgacom has long since ousted the intruding software and is now working with a federal prosecutor to pursue a criminal investigation. Belgacom's subversion by this malware -- comparable in sophistication to the infamous Stuxnet, according to Symantec (which published its findings last Sunday) -- led to the breach of EU offices.

Spying on foreign governments is what intelligence agencies are expected to do. But dumping malware into the operating systems of a communications provider generally isn't. Belgacom's infection is the only verified incident so far, but there are likely many, many more considering the Regin malware traces back nearly ten years.

Based on an analysis of the malware samples, Regin appears to have been developed over the course of more than a decade; The Intercept has identified traces of its components dating back as far as 2003. Regin was mentioned at a recent Hack.lu conference in Luxembourg, and Symantec’s report on Sunday said the firm had identified Regin on infected systems operated by private companies, government entities, and research institutes in countries such as Russia, Saudi Arabia, Mexico, Ireland, Belgium, and Iran.

GCHQ has issued boilerplate in response to The Intercept's request for a comment. The NSA, on the other hand, apparently isn't going to dignify this story with a non-denial denial, opting instead for something much more brusque:

“We are not going to comment on The Intercept’s speculation.”

What's currently out there in the wild may not be as effective anymore. Belgacom discovered its infection around June 21, 2013, about a week before Der Spiegel published Snowden documents pointing to the digital infiltration of EU offices. The Intercept has made the malware available for download and states the following in its article.

Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.

If so, then the two agencies involved have likely moved on to something better and less detectable. Being outed is no reason to stop spying, especially in other nations where legal protections range from "thin" to "nonexistent."

from the is-nothing-sacred? dept

Back in September, it was reported that the UK's equivalent of the NSA, GCHQ, had gleefully hacked Belgacom, the Belgian telco, using a "quantum insert" to plant malware on the computers of key engineers at the company. At the time, it was described as follows:

According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a "Quantum Insert" ("QI"). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had "good access" to important parts of Belgacom's infrastructure, and this seemed to please the British spies, according to the slides.

Over the weekend it appears that Der Spiegel published a further report by Laura Poitras on this hacking, which revealed that the spoofed websites used to install this malware were none other than Slashdot and Linkedin. Interesting choices.

So, it sounds like they did a man-in-the-middle attack, redirecting very specific visitors from those two sites to sites that planted malware instead. I wonder if LinkedIn (which is already involved in a lawsuit over the NSA stuff) and Slashdot have any legal basis to go after the government for effectively attacking their servers?

from the this-pleases-the-spies dept

According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a "Quantum Insert" ("QI"). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had "good access" to important parts of Belgacom's infrastructure, and this seemed to please the British spies, according to the slides.

The documents also suggest that GCHQ continued to probe the areas of infrastructure to which the targeted employees had access. The undated presentation states that they were on the verge of accessing the Belgians' central roaming router. The router is used to process international traffic. According to the presentation, the British wanted to use this access for complex attacks ("Man in the Middle" attacks) on smartphone users. The head of GCHQ's Network Analysis Centre (NAC) described Operation Socialist in the presentation as a "success."

Once again, despite various denials, it appears that the NSA/GCHQ have been hacking into companies, rather than directly targeting individuals or terrorist organizations. This leads to questions about the possibility of economic espionage, but also about using these hacked systems for further attacks. As the report notes, this could be especially concerning, given that Belgacom serves the EU Parliament, the EU Council and the EU Commission -- all of whom have been named as "targets" of the NSA (and, by extension, GCHQ, even as the UK is a member of the EU).

As I've said in the past, I'm a lot less disturbed by intelligence gathering on foreign politicians -- that's just standard every day expected espionage activity. However, hacking into companies to do that espionage begins to cross some very questionable lines that could lead to massive economic harm, as well as the ability to mask the surveillance by government agencies as somehow being the fault of those companies.

from the clutching-at-straws dept

Back in November 2011, we wrote about the Belgian music royalty collection agency SABAM's demand for 3.4% of Internet subscriber fees as "compensation" for online piracy in Belgium. As Tim Cushing explained back then, this was ridiculous on just about every level. But SABAM doesn't let little things like that get in the way of its desperate attempt to avoid moving with the times and coming up with new business models. So after failing dismally to convince Europe's highest court that it could force ISPs to spy on their customers, SABAM has now moved on to suing ISPs instead, as TorrentFreak reports:

This week SABAM sued the Belgian ISPs Belgacom, Telenet and Voo, claiming a 3.4 percent cut of Internet subscriber fees as compensation for the rampant piracy they enable through their networks.

SABAM argues that authors should be paid for any "public broadcast" of a song. Pirated downloads and streams on the Internet are such public broadcasts according to the group, and they are therefore entitled to proper compensation.

One of the ISPs being sued, Belgacom, has a better analogy for what's going on here:

"A postman doesn't open letters he delivers. We are also just transporting data, and we are not responsible for the contents," Belgacom says.

That's the "mere conduit" principle, and as TorrentFreak points out, if that defense is overturned here, and the "piracy license" is imposed, the cost will inevitably be passed on to users, which means that people who buy music legally will be paying twice for the privilege. And of course, it wouldn't just be SABAM: the other copyright industries -- films, books, photos, software, games -- will doubtless all line up for their free handout, making online access prohibitively expensive in Belgium.

Perhaps surprisingly, our results present no evidence of digital music sales displacement. While we find important cross country differences in the effects of downloading on music purchases, our findings suggest a rather small complementarity between these two music consumption channels. It seems that the majority of the music that is consumed illegally by the individuals in our sample would not have been purchased if illegal downloading websites were not available to them. The complementarity effect of online streaming is found to be somewhat larger, suggesting a stimulating effect of this activity on the sales of digital music.

That is, streaming sites might even promote digital music sales; so maybe SABAM should be giving money to the ISPs, not asking for it....